Change log for AWS_CLOUDWATCH
| Date | Changes |
|---|---|
| 2024-08-29 | Enhancement
- Added support to parse unparsed logs. - Mapped "connectionTesterClassName" to "principal.hostname". - Mapped "identityToken" to "principal.user.userid". - Mapped "jdbcUrl" to "target.url". - Mapped "driverClass" to "target.application". - Mapped "uid" to "metadata.product_log_id". - Mapped "summary" to "security_result.summary". - Mapped "script" to "security_result.description". |
| 2024-02-12 | Enhancement
- Mapped timestamp to UNIX_MS. |
| 2023-09-02 | Enhancement
- Added a "kv block" to parse key-value format logs. - Mapped "SourceIP" to "principal.ip". - Mapped "prin_host" to "principal.hostname". - Mapped "User" to "principal.user.userid". - Mapped "Ciphers" to "network.tls.client.supported_ciphers". - Mapped "executionId" to "principal.process.pid". - Mapped "transferDetails.sessionId" to "network.session_id". - Mapped "transferDetails.username" to "principal.user.user_display_name". - Mapped "transferDetails.serverId", "workflowId", "details.input.initialFileLocation.etag", "details.input.initialFileLocation.backingStore", "details.input.initialFileLocation.bucket", "details.input.initialFileLocation.key", "Mode", "Kex" to "additional.fields". - Mapped "BytesIn" to "network.received_bytes". - Mapped "Role" to "target.resource.product_object_id". |
| 2023-08-18 | Enhancement
- Added a Grok pattern to parse the unparsed raw logs. |
| 2023-07-07 | Enhancement
- Added support for 'logEvents'-related JSON logs. |
| 2022-12-17 | Enhancement:
- Mapped "CloudType" to "target.resource.attribute.cloud.environment". - Mapped "AlertId" to "metadata.product_log_id". - Mapped "ResourceType" to "target.resource.resource_subtype". - Mapped "ResourceRegion" to "target.location.country_or_region". - Mapped "Recommendation" to "security_result.detection_fields". - Mapped "PolicyName","detail.additionalEventData.configRuleName" to "security_result.rule_name". - Mapped "detail-type" to "metadata.product_event_type". - Mapped "region","detail.awsRegion" to "principal.location.name". - Mapped "detail.eventSource" to "target.application". - Mapped "detail.requestID" to "target.resource.attribute.labels". - Mapped "detail.userAgent" to "network.http.user_agent". - Mapped "detail.eventVersion" to "metadata.product_version". - Mapped "detail.userIdentity.accountId" to "metadata.product_deployment_id". - Mapped "detail.userIdentity.accessKeyId" to "target.user.userid". - Mapped "detail.userIdentity.type" to "principal.resource.type". - Mapped "detail.userIdentity.principalId" to "principal.user.product_object_id". - Mapped "detail.user.arn" to "target.user.userid". - Mapped "detail.user.sessionContext.sessionIssuer.userName" to "target.user.user_display_name". - Mapped "detail.user.mfaAuthenticated" to "principal.user.attribute.labels". - Mapped "detail.recipientAccountId" to "target.resource.attribute.labels". - Mapped "detail.managementEvent", "detail.eventType", "detail.readOnly", "detail.eventName", "detail.additionalEventData.notificationJobType", "detail.additionalEventData.managedRuleIdentifier", "duration", "billed_duration", "memory_used" to "additional.fields". - Mapped "detail.eventCategory" to "security_result.category_details". - Mapped "detail.eventID" to "metadata.product_log_id". - Mapped "detail.additionalEventData.configRuleArn" to "security_result.rule_id". - Mapped "level" to "security_result.severity". - Mapped "src_port" to "principal.port". - Mapped "request_id" to "target.resource.attribute.labels". - Mapped "url" to "target.url". |
| 2022-09-03 | Enhancement
- Added grok to parse newly ingested logs. - Mapped "package" to "event.idm.read_only_udm.principal.process.command_line". - Mapped "session_id" to "event.idm.read_only_udm.network.session_id". - Mapped "network_dir" to "event.idm.read_only_udm.network.direction". - Mapped "port" to "event.idm.read_only_udm.target.port". - Remapped "digestPublicKeyFingerprint" from "additional.fields" to "event.idm.read_only_udm.target.file.sha1". - Added other log levels like "AUDIT", "TRACE", "DEBUG", "NOTICE", "ERROR" for severity mapping. - Duplicated the value in "target.ip" to "principal.ip" to set event_type as "STATUS_UPDATE" thereby reducing generic percentage. - Added conditions for "event_type" "USER_UNCATEGORIZED", "NETWORK_HTTP", "NETWORK_CONNECTION", "STATUS_UPADTE" to reduce generic percentage. |
| 2022-08-11 | Bug Fix - Remapped "digestS3Bucket" to "principal.resource.name".
Remapped "kubernetes.pod_name" to "additional.fields". |
| 2022-05-27 | Enhancement - Modified the value stored in metadata.product_name to 'AWS CloudWatch' and metadata.vendor_name to 'AMAZON'.
|